Malicious domains are key components in a variety of different cyberattacks, such as phishing, botnet, command and control and spams. It is therefore important to be able to discover and block access to these attack enablers.
Many techniques have been proposed to identify malicious domains, utilizing different types of local network and host information [1, 3, 8]. DNS data has been exploited in some of these efforts. The general conventional approaches extract multiple features from DNS records as well as DNS queries and responses, which may further be enhanced with historical patterns and network traffic features of local hosts (those issuing DNS queries). Based on these features and some training datasets, a classifier can be built to distinguish malicious domains from benign ones.
Such approaches are effective as long as the features used in the classifier are not manipulated. However, it has been shown that many of the features used are not robust [12]. That is, attackers could change the features of malicious domains or infected hosts to evade detection. For example, patterns in domain names (e.g. number of characters or pronounceable words) can obviously be altered easily [5, 6] without affecting attacking capabilities. Similarly, attackers can also change the Time To Live (TTL) for DNS query caching if it is used as a feature for detection.
It has been proposed to identify malicious domains through analysis of DNS data. The general conventional approach is to build classifiers based on DNS-related local domain features. However, one problem with this conventional approach is that many local features (e.g. domain name patterns and temporal patterns) tend to be not robust. Attackers can easily alter these features to evade detection.
The present invention seeks to provide improved methods and systems for detecting malicious domains. Reference is made to “Discovering Malicious Domains through Passive DNS Data Graph Analysis,” Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, Xi'an, China, May 30-Jun. 3, 2016; which is incorporated herein by reference.